The Internet was born believing that everybody that would use it would do so in good faith and without malicious intent. That assumption has long been proven false, and so as a result, we build systems that require authentication (the ability for a user to prove who they are) and authorization (the ability to know what actions a user can do).

But just creating a "username/password dialog" isn't the answer, either. The space is rife with pitfalls and failure, because most developers are never taught how to create secure systems, and have to stumble along blindly as a result. And now, the tech is rampant: Kerberos, OAuth, OpenID, SSO, JWTs, PKCE, and more. It's an alphabet soup that's so jumbled, the path of "we know it's weak but a username/password dialog is just sooooo much simpler..." sounds attractive. (I mean, who's really going to hack our system, anyway, right?)

In this presentation, we'll start from basic principles of identity, and walk through the need--and the solutions that arose from that need--to arrive at a good understanding of how modern auth-and-auth systems work.

You will learn:

• Demystify some security terminology and concepts
• How and when each principle applies
• Build a strong mental model of how/when/why to secure logins